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SYSTEM AND METHOD FOR DETECTING AND REPORTING CABLE NETWORK 
DEVICES WITH DUPLICATE MEDIA ACCESS CONTROL ADDRESSES 

BACKGROUND 

[0001] The present invention relates generally to the field of network management. More 
particularly, the present invention permits the detection of cable modems and cable network 
devices with duplicate media access controller (MAC) addresses. 

[0002] Every network interface has a media access controller (MAC) address, also known as the 
physical address. This is the actual hardware address that the lowest level of the network uses to 
communicate. In cable networks, the MAC address is used to assign an Internet protocol (IP) 
address to a device by means of a dynamic host configuration protocol (DHCP) server. The 
MAC address is theoretically unique to a particular device. This permits an IP network service 
provider to use the MAC address as a vehicle for authorizing access to its network and further 
aids in billing users for services. 

[0003] A cable network comprises a variety of cable network devices, including cable modems 
(CMs) and cable modem auxiliary devices (CMADs) such as multimedia terminal adapters 
(MTAs) and two-way set top boxes (STBs). Each of these devices is assigned an IP address by 
the cable network based on the MAC address of the device. Ideally, at the time of manufacture, 
each cable network device (e.g., a CM, MTA, set top box among others) is assigned a MAC 
address that uniquely identifies that device. Either through error at the time of manufacture, or 
through malicious intent (hacking), a cable network device may appear on a cable network with 
a MAC address that has already been assigned to another cable network device. As the MAC 
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address is often the sole identifier used to identify and authenticate a cable network device for 
network connectivity, programming delivery and billing purposes, it is imperative to guarantee 
the uniqueness of the MAC address for each cable network device in order to thwart "theft of 
services." 

[0004] In the cable environment, access to the cable network's data service is provided to 
CMADs through a cable modem (CM). Increasingly, CMs are required to comply with an 
industry standard referred to as the "Data Over Cable Service Interface Specification" or 
DOCSIS. DOCSIS provides a set of standards and a certifying authority by which cable 
companies can achieve cross-platform functionality in Internet delivery. A DOCSIS compliant 
cable network comprises cable modem termination systems (CMTSs) and cable modems that 
form the interface to an Internet service provider (ISP). The CM provides two-way connectivity 
between a customer and the ISP through the CMTS. A cable modem termination system 
(CMTS) is a component that exchanges digital signals with CMs on a cable network. 

[0005] High-speed data (HSD) service is delivered to a subscriber through channels in a coaxial 
cable to a CM. An upstream channel is used to communicate from the CM to the CMTS. A 
downstream channel handles communication from the CMTS to the CM. When a CMTS 
receives signals from the CM, the CMTS converts these signals into Internet Protocol (IP) 
packets, which are then sent to an IP router for transmission across a managed IP network. 
When a CMTS sends signals to a cable modem, the CMTS modulates the downstream signals 
for transmission across the cable to the CM. 

[0006] The provisioning of the CM is an example of an authentication process. A DHCP server 
associated with a CMTS uses the CM MAC address to determine whether a customer is 
authorized to receive HSD service via the CM (based on finding the MAC address in a 
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provisioning/authentication database) and what level of service an authorized subscriber is 
entitled to receive. In a cable network with a single CMTS, the CMTS will deny an attempt by 
a CM to present a MAC address that is currently registered by that CMTS. However, if the 
cable network utilizes multiple CMTSs and if the second use of the MAC address is presented to 
a CMTS that is not the CMTS that registered the first instance of that MAC address, the 
duplicated MAC address will not be detected. 
[0007] With the development of packet switching and the growth of the Internet, interest in real- 
time services, such as voice over IP (VoIP) and gaming using packet switching technology has 
grown. Real-time services over cable are subject to a variety of standards, including the various 
standards issued by Cable Television Laboratories, Inc. under the "PacketCable™" standard. 
The standards are directed to end-to-end functions, including signaling for services, media 
transport at variable QoS levels, security, provisioning of the client device, billing, and other 
network management functions. VoIP is the first service defined for this platform, but others are 
expected to follow. PacketCable services utilize a subscriber's CM and a multimedia (or media) 
terminal adapter (MTA). The MTA is connected between the CM and other subscriber 
equipment. For VoIP service, for example, the MTA connects to a standard telephone and 
handles voice compression, packetization, security, and call signaling. An MTA may be 
designed to be either a separate standalone device or to be embedded within the CM. The MTA 
and the CM are assigned separate media access control (MAC) and IP addresses, even if the 
elements are integrated into a single device. Typically, the MAC address of the MTA 
component of an integrated MTA/CM device is the MAC address of the CM component plus 1. 
The CMTS uses the Data Over Cable Service Interface Specification (DOCSIS) protocol (also 
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issued by Cable Television Laboratories, Inc.) on the access network to manage access network 
resources for PacketCable services. 

[0008] The DHCP server uses the MTA MAC address and the CM MAC address to determine 
whether a HSD service customer is entitled to receive PacketCable services through the MTA. 
In determining whether to authorize the MTA, the CM MAC is checked to see if the MTA 
DHCP request came through a CM that is entitled to data and voice service. The MTA MAC is 
also checked by the DHCP server to see what kind (make and model) of MTA is making the 
request so that the MTA can be told to request the appropriate type of MTA configuration file 
(which may contain make/model specific instructions). However, while it has been suggested 
that the relationship between the CM MAC and the MTA MAC can be exploited to police 
service theft, no system today checks to see if the two MAC addresses "belong" to each other. 

[0009] Because the MTA is not "registered" by the CMTS before the MAC address is presented 
to the DHCP server, duplicate MTA addresses may not be detected even on a system with a 
single CMTS if used behind different CMs. 

[001 0] The two-way set-top box (STB) is another example of a CM AD that is provisioned by the 
cable network with an IP address based on the MAC address of the STB. The STB utilizes an 
integrated cable modem (which is provisioned in the same manner as a standalone CM) to 
communicate with a DHCP server, and receives its IP address based on the both the integrated 
CM's and STB's MAC addresses. As in the case of the MTA, a duplicate STB MAC address 
can operate behind two or more legitimate CM MAC addresses without being detected. 

[0011] In cable networks comprising regional networks, the detection of multiple MAC 
addresses from cable network devices is more difficult. CMs, for example, may present the 
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same MAC addresses to different CMTS within a regional network or across different regional 
networks. 

[001 2] The consequences of allowing cable network devices with duplicate MAC addresses to 
operate on a cable network can be significant. If a "rogue" cable modem, MTA or other cable 
network device were to share the same MAC address as a legitimate cable network device, the 
"rogue" device would receive the same service as the legitimate device. If the legitimate device 
user is charged for service based upon the quantity of service used, it is likely that the legitimate 
user will be charged for the services utilized by the "rogue" device. Resolving payment disputes 
is costly for the cable service provider and, at a minimum, annoying and inconvenient for their 
subscribers. 

[001 3] As noted above, a cable network in which a single DHCP server supports a CMTS 
provides some level of protection against duplication of MAC addresses by CMs. CMs are 
identified to the cable network through an initialization process managed by the CMTS. The 
CM is initialized with the CMTS through a series of handshakes that comprise an exchange of 
data. When a CM is powered on, it scans the cable network for a downstream data channel 
carrying a signal that the CM recognizes as coming from the CMTS. The signal from the 
CMTS comprises an instruction set used by the CM module to communicate with the CMTS. 
The CM receives and implements the instruction set and then obtains from the CMTS 
parameters concerning available upstream channels on which the device may transmit. Other 
operational parameters are acquired and the CM is registered on the cable network. 

[0014] In this provisioning example, the CM sends a dynamic host configuration protocol 
(DHCP) request to the CMTS for an Internet protocol (IP) address and other parameters. The IP 
address enables the CM to establish its identity for receiving the downstream data addressed to it 
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and for transmitting data from a known Internet address. The request includes the MAC address 
of the CM. If the MAC address of the CM is not associated with a previously registered CM, 
the CMTS forwards the CM's request for the IP address to the DHCP server assigned to that 
CMTS. This server contains a database or pool of IP addresses allocated to the Internet devices 
on the network. The DHCP server responds through the CMTS with an IP address and other 
necessary data. The CM extracts this data from the message and immediately configures its IP 
parameters. 

[001 5] As noted, DHCP request message contains the CM's MAC address. The CMTS receives 
the DHCP request and adds its own unique identifier (typically referred to as a gateway interface 
address or "giaddr") to the DHCP request. The giaddr identifies the CMTS through which the 
CM is communicating and is used by the DHCP server to determine from which pool of IP 
addresses a specific IP address for CM will be selected. Thus, the intended function of the 
giaddr is to aid in the assignment of IP addresses. 

[0016] The CMTS maintains a list of CM MAC addresses for CMs that are currently registered 
with the CMTS. If a CM is registered and another CM with the same MAC address as the first 
CM attempts to register with that CMTS, the CMTS will typically reject the second CM's 
registration attempt. Note that there is no mechanism for the CMTS to determine which of the 
CMs is the "rightful owner" of the CM MAC address; it can only determine that a CM is 
attempting to register with a MAC address with which another CM is currently registered. . 

[001 7] The provisioning process for CMAD (e.g., an MTA) differs from the process experienced 
by the CM in that the CMAD provisioning is not managed by the CMTS and the CMAD is not 
registered with the CMTS before presenting its MAC address to a DHCP server. Rather, the 
CMAD is provisioned after the CM has been authorized by the CMTS and assigned an IP 
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address by the DHCP server. For example, two MTAs presenting the same MTA MAC address 
via different CMs presenting different and valid CM MAC addresses will not be detected by the 
CMTS. As noted, the DHCP request from the MTA comprises the MAC address of the MTA 
and the MAC address of the CM to which the MTA is connected. It has been suggested that the 
MTA MAC address be associated with the CM MAC address to detect use of a single MTA 
with multiple CMs. No specific implementations of this suggestion have been found. Even if 
implemented, this association does not address the problem of detecting unauthorized MTA 
usage when the cable network comprises multiple CMTSs or multiple networks each with its 
own CMTS and DHCP server support. 
[001 8] What is needed are means for identifying cable network devices having the same MAC 
address on a single CMTS or multiple CMTSs, either as part of single network or as part of 
multiple networks within a cable network. 

SUMMARY 

[001 9] An embodiment of the present invention is a method for detecting cable network devices 
(CNDs) that have the same MAC address. For the purposes of this application, a CND is a 
cable network device that receives an IP address from an appropriate provisioning system based 
on the MAC address of the device. A cable modem (CM) is a special type of CND that 
establishes data communication channels on the cable network and that is registered with a 
CMTS before it is provisioned with an IP address. Other CNDs connect to the CM to utilize the 
data communication channels of the CM. These CNDs are referred to as cable modem auxiliary 
devices (CMADs) and comprise media terminal adapters (MTAs) and two-way set top boxes 
(STBs), among others. CMADs are not registered with the CMTS. 
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[0020] The MAC address of the CND is associated with the giaddr of the CMTS to which the 
device is connected to form a MAC address/giaddr tuple. A datastore stores historical MAC 
address/giaddr tuple data. In one embodiment of the present invention, that datastore comprises 
a central database. In an alternative embodiment, the datastore comprises a distributed database. 
By comparing the MAC address/giaddr tuple data of the CND seeking to access a cable network 
to the MAC address/giaddr tuple data in the datastore, duplicate MAC addresses can be detected 
and managed. 

[0021] In an exemplary embodiment of the present invention, the CND is a cable modem (CM). 
In still another exemplary embodiment of the present invention, the CND is a media terminal 
adapter (MTA). However, the present invention is not so limited. As will be apparent to those 
skilled in the art, any CND that is provisioned by the cable network with an IP address is within 
the scope of the present invention. By way of illustration, in another exemplary embodiment, 
the CND is a set-top box. 

[0022] It is therefore an aspect of the present invention to detect and identify CNDs having the 
same MAC address. 

[0023] It is another aspect of the present invention to detect an attempt over a cable network to 
capture a legitimate MAC address by a user of a CND that is not entitled to receive service from 
the cable operator. 

[0024] It is still another aspect of the present invention to associate a CND with a primary cable 

modem termination system (CMTS). 
[0025] It is yet another aspect of the present invention to associate the MAC address of an MTA 

with the MAC address of a CM and with a primary CMTS. 
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[0026] An embodiment of the present invention is a method for detecting multiple CMADs that 
have the same MAC address. A CMTS receives a DHCP request comprising a MAC address of 
a CMAD seeking access to the cable system and a MAC address of a CM to which the CMAD 
is connected. The CMTS forms a proffered identifier of the CMAD by combining a gateway 
interface address of the CMTS with the CM MAC address and the CMAD MAC address. The 
components of the proffered identifier are compared to the components of each of one or more 
stored identifiers stored in a datastore. A determination is made whether the proffered identifier 
and any of the one or more stored identifiers satisfy a first matching criteria comprising a same 
CMAD MAC address component and a different gateway interface address component. In the 
event the proffered identifier and any of the one or more stored identifiers satisfy the first 
matching criteria, a remedial response is selected. 

[0027] In the event the proffered identifier and any of the one or more stored identifiers do not 
satisfy the first matching criteria, a determination is made whether the proffered identifier and 
any of the one or more stored identifiers satisfies a second matching criteria comprising a same 
CMAD MAC address component, a different CM MAC address component, and a same 
gateway interface address component. In the event the proffered identifier and any of the one or 
more stored identifiers satisfy the second matching criteria, a remedial response is selected. 

[0028] In another embodiment of the present invention, the cable system comprises a plurality of 
regional networks. Each regional network comprises a regional datastore. The cable system 
further comprises a central datastore in which data from all of the regional datastores reside. In 
this embodiment, the first and second matching criteria are applied regionally using data stored 
in the regional datastore of the regional network to which the CMAD is connected. If the 
proffered identifier satisfies the first and second matching criteria on a regional basis, the first 



-9- 



ATTORNEY DOCKET 2816-033 

and second matching criteria are applied to the proffered identifier using data stored in the 
central datastore. In this way, the duplicate MAC addresses of CMADs can be detected across 
discrete networks. 

[0029] In an exemplary embodiment, the CND is a CM. In this exemplary embodiment, a 
plurality of CMTSs is serviced by a single DHCP server. A centralized storage of historical CM 
MAC address/giaddr tuple data is used to identify CMs with duplicate MAC addresses. The 
DHCP server tracks the CM MAC address/giaddr tuple data of all DHCP requests that it 
receives and stores the CM MAC address/giaddr tuple data in a datastore (such as a database). 
When a DHCP request is received from a CM, the DHCP server looks into the datastore to 
determine whether the CM MAC address in the DHCP request has previously been associated 
with a different giaddr (using the first matching criteria described above). If this has occurred, it 
would imply that one of three events has occurred: (1) the CM has been physically moved to a 
different part of the cable infrastructure so that it is connecting through a different CMTS; (2) 
the CM has been assigned to a new CMTS to accommodate a change in the system structure (as, 
for example where a new CMTS has been added to account for subscriber count growth); or (3) 
there are CMs with the same MAC address each requesting an IP address through different 
CMTSs attached to the DHCP server. When such duplication is detected, the DHCP server 
takes a prescribed remedial response (e.g., denies the duplicate registration or permits the 
duplicate registration on a temporary basis) and sends a message to an error log and to a 
monitoring system that alerts support personnel. For CMs with MAC addresses for which the 
DHCP has not previously issued an IP address, the DHCP server will write the MAC 
address/giaddr tuple data to the datastore. 
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[0030] In an alternate embodiment, the CND MAC address/giaddr tuple data is periodically 
gathered from the plurality of CMTSs and stored in the datastore. In another embodiment, the 
DHCP server does not perform the tasks of storing the MAC address/giaddr tuple data in the 
datastore, identifying duplicate MAC addresses, and generating alarms for support personnel. 
Rather, in this embodiment, these tasks are assigned to a separate detection server so as to avoid 
overburdening the DHCP server. 

[003 1 ] In yet another embodiment of the present invention a multiple service operator (MSO) 
uses a regionalized provisioning system to validate customers. (A MSO is a service provider 
that operates two or more distinct cable networks.) The CND MAC address/giaddr tuple data is 
gathered from each distinct network and replicated in a centralized datastore. A process 
monitors this centralized datastore to detect duplicate MAC addresses that are associated with 
different CMTSs (using the same or differing DHCP servers) and to alert support personnel 
appropriately. In this way, the duplicate MAC addresses of CNDs can be detected across 
discrete networks. 

[0032] In another exemplary embodiment, the CND is an MTA. In this exemplary embodiment, 
the MTA MAC is associated with both the MAC address of the CM through which the MTA is 
connected to the cable network and the CMTS giaddr. This tuple is used to identify MTAs with 
duplicate MAC addresses. The DHCP server looks into the datastore to determine whether the 
MTA MAC address embedded in the DHCP request has previously been stored in association 
with a different CM MAC address, or if the MTA MAC address has been associated with a 
different giaddr. If either of these associations is detected, the attempt to access the network by 
the MTA is identified as unauthorized and remedial action is taken. 
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[0033] In yet another embodiment, DHCP logs are parsed to perform historical trending. A log 
processor looks for patterns to determine whether a "rogue" CND user is changing his CND 
MAC address over and over again in an attempt to find a legitimate CND MAC address that will 
allow his CND to become provisioned. This process examines the DHCP logs and looks for 
unusually high numbers of DHCP failures due to CNDs with MAC addresses that the 
provisioning system does not recognize. The process also looks for patterns among all MAC 
addresses that fail in order to determine the location of a "rogue" CND (based upon which 
individual CMTS the rogue CND is attempting to provision through), as well as to determine the 
methods being used by the abuser. In an alternate embodiment, historical trending is used to 
determine the validity of a MAC address proffered by a CND attempting to access a cable 
system. 

[0034] In still another embodiment of the present invention, the centralized data store associates 
a MAC address of a CND with the first CMTS to which the CND communicates its MAC 
address. If that MAC address is subsequently communicated to a different CMTS (as 
determined by the giaddrs), a response may be taken to determine whether either or both of the 
uses of the MAC address are by a legitimate user using a single CND in different locations or on 
different networks or if the MAC address is being used by different CNDs. In this embodiment, 
the initiation of a response is not dependent upon the simultaneous use of the same MAC 
address by different CNDs. 

[0035] For example, a legitimate user may move a CND from one regional network to another 
regional network of an MSO. In this example, the detection of the CND MAC address from the 
CMTS of the second regional network would provoke a remedial response from the MSO. The 
nature of the remedial response is within the discretion of the MSO. By way of illustration and 
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not as a limitation, the CND could be granted temporary access and sent a confirmation message 
by the MSO requesting the CND user to respond with a confirmation code. If the CND user 
fails to respond or if the confirmation code is in error, the temporary access would be 
terminated. Otherwise, the temporary access is upgraded to "normal" access. As would be 
apparent to those skilled in the art, other remedial responses may be initiated by the MSO 
without departing from the scope of the present invention. 

[0036] In alternative embodiment, when a new subscriber is issued a CND, the MAC address of 
the CND and giaddr of the CMTS to which the new subscriber is assigned are saved in a 
datastore. When the new subscriber first connects to the network, the CND sends a DHCP 
request to the DHCP server. In this embodiment, the DHCP server looks into the datastore to 
determine whether both the CND MAC address(es) embedded in the DHCP request and the 
giaddr match the values assigned to them when the CND was issued. If not, a prescribed 
remedial response is taken. If the CND MAC address and the giaddr match, the CND is granted 
temporary access and sent a confirmation message requesting the CND user to respond with a 
confirmation code. If the CND user fails to respond or if the confirmation code is in error, the 
temporary access is terminated. Otherwise, the temporary is upgraded to "normal" access. 

DESCRIPTION OF THE DRAWINGS 

[0037] Figure 1 is a block diagram illustrating an embodiment of the present invention in which 
duplicated MAC addresses are detected in a single network using a plurality of CMTSs. 

[0038] Figures 2A, 2B, and 2C illustrating a process according to an embodiment of the present 
invention of by which duplicate MAC addresses are detected in a single network using a 
plurality of CMTSs. 
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[0039] Figure 3 is a block diagram illustrating an embodiment of the present invention in which 

duplicate MAC addresses are detected on a plurality of networks using a plurality of CMTSs. 
[0040] Figure 4 illustrates a process according to an embodiment of the present invention of 

detecting duplicate MAC address of a CMAD in a multi-network cable system. 
[0041] Figure 5 illustrates a process according to an embodiment of the present invention of 

detecting duplicate MAC address of a CM in a multi-network cable system 



[0042] The following terms used in the description that follows. The definitions are provided for 
clarity of understanding: 



DETAILED DESCRIPTION 



CM- 



a cable modem. 



CMTS- 



CMAD - 



a cable modem auxiliary device, 
a cable modem termination system . 



VoIP- 



MAC address - 



QoS- 
STB - 



MTA - 



MSO- 



ISP- 



DHCP server - 



HSD - 



DOCSIS - 



giaddr - 



CND - 



a cable network device, including cable modems and cable 
modem auxiliary devices. 

a dynamic host configuration protocol server. 

"Data Over Cable Service Interface Specification" issued 
by Cable Television Laboratories, Inc. 

the gateway interface address of a CMTS. 

high-speed data (HSD) service. 

an Internet service provider (ISP). 

the media access controller address of a CND. 

multiple service operation. 

a multimedia (or media) terminal adapter (MTA) and an 
example of a CMAD. 

quality of service. 

set top box and example of a CMAD. 
voice over IP. 
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[0043] An embodiment of the present invention is a method for detecting multiple CNDs that 
have the same MAC address. Figure 1 is a block diagram illustrating an embodiment of the 
present invention in which duplicate MAC addresses are detected on a single cable network 
using a plurality of CMTSs. Referring to Figure 1, cable modem auxiliary device A (CMAD 
A) 100 is connected to a CM A 105. CM A 105 interfaces with CMTS A 110 via cable network 
125. Similarly, CMAD B 115 is connected to a CM B 120, which connects to CMTS A 110 via 
cable network 125. Additionally, CMAD C 130 is connected to a CM C 135, which connects to 
CMTS B 140 via cable network 125. 

[0044] The CMADs (CMAD A 100, CMAD B 115, and CMAD C 130) and the CMs (CM A 
105, CM B 120, and CM C 135) comprise cable network devices (CNDs). Each CND is 
identifiable on the network by a unique MAC address assigned to the CND at the time of 

* 

manufacture. Additionally, CMTS A 110 and CMTS B 140 are each identified by a unique 
gateway interface address (a "giaddr"). CMTS A 110 and CMTS B 140 interface with an IP 
network 145. Connected to IP network 145 are DHCP server 150 and a datastore 165. 
Datastore 165 stores MAC address/giaddr tuple data of CNDs that have been authorized to 
access cable network 120. Additionally, the DHCP server 150 is connected to IP address pool 
155 and MAC address database 160. In an embodiment of the present invention, the MAC 
address of a CND is entered into the MAC address database 160 when a CND is assigned to a 
service subscriber by the operator of cable network 125. 
[0045] As previously described, a DHCP request is issued by the CND to the CMTS. The 
DHCP request comprises the MAC address of the CND. The CMTS passes the DHCP request 
on to the DHCP server 150, which selects an IP address for the CND based on the CMTS that 
the CND uses for its network connection. 
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[0046] As illustrated in Figure 1, CMTS A 110 serves both CM A 105 and CM B 120. As 
previously noted, a CM presents its MAC address to its serving CMTS during a registration 
process that occurs before the CM issues a DHCP request. The CMTS will refuse registration to 
a CM if that CM presents a MAC address that is duplicative of the MAC address of a previously 
registered CM. For purposes of this discussion, both CM A 105 and CM B 120 are each 
deemed to have been registered with CMTS A 110 with different MAC addresses. 

[0047] Because CM C 135 is registered with CMTS B 140, the current art will not detect or 
prevent CM C 135 from sending a DHCP request comprising the same MAC address as either 
CM A 105 and CM B 120. Because both of these MAC addresses are stored in MAC address 
database 160, either MAC address would be sufficient to grant CM C 135 an IP address. 

[0048] As will be described below, the embodiment of the present invention illustrated in 
Figure 1 overcomes this problem with the current art. 

[0049] Figures 2A, 2B, and 2C illustrate a process according to an embodiment of the present 
invention of detecting duplicate MAC addresses using DHCP requests from cable network 
devices (CNDs). As described in the context of Figure 1, a CM issues a DHCP request only 
after the CM has successfully registered with the CMTS to which it is connected. The CMTS 
will refuse registration to a CM if that CM presents a MAC address that is duplicative of the 
MAC address of a previously registered CM. The process illustrated in Figures 2 A, 2B, and 2C 
is true for all CNDs (including registered CMs) because only a registered CM can present a 
DHCP request. 

[0050] Referring to Figure 2, a CND sends a DHCP request to the CMTS 200. The CMTS adds 
a giaddr to the DHCP request and routes the request to a DHCP server 215. As previously 
indicated, the content of the DHCP request depends on the CND that sends it. A DHCP request 
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from a CND comprises the CND MAC address. In the case of a CM, the CND MAC address is 
the MAC address of the CM. As the DHCP request of a CMAD (e.g., an MTA or STB) 
comprises a MAC address pair consisting of the CM MAC address to which the CMAD is 
connected and the CMAD MAC address, the CND MAC address is the MAC address of the 
CMAD. The DHCP server determines whether the CND MAC address is in the MAC database 
220. If the CND MAC addresses are not in the MAC database 220, a remedial response is taken 
225. The network administrator determines what is an appropriate remedial response. 
Typically, where the CND MAC address is not in the CND MAC database 220, the user is 
denied service. However, the invention is not so limited and other actions may be taken (such as 
continuing monitoring for fraud source and pattern detection) without departing from the scope 
of the invention. 

[0051 ] If the CND MAC address is in the MAC database 220, a determination of the type of 
CND is made 230. If the CND is a CM 235, the MAC address/giaddr tuple data comprises the 
MAC address of the CM and the giaddr of the CMTS to which it is connected. Referring to 
Figure 2B, the CM MAC address/giaddr data from the DHCP request is compared to entries in 
a datastore 240. A determination is made whether the CM MAC address of the MAC 
address/giaddr tuple data sent from the DHCP server satisfies a matching criteria comprising a 
same CND MAC address previously associated with a different giaddr 245. If the CM MAC 
address in the DHCP request has been previously associated with a different giaddr, the DHCP 
request is evidence that a CM with a duplicate MAC address has been connected to the cable 
network through a different CMTS and a remedial response is taken 250. The network 
administrator determines what is an appropriate remedial response. For example, and not as a 
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limitation, the remedial response comprises denying an IP address to the CM, sending an 
advisory message to a network administrator, or recording the event in a log file. 

[0052] If the MAC address/giaddr tuple data is unique or if it matches a previously stored tuple, 
the CM is assigned an IP address from the IP address pool associated with the CMTS. For CMs 
with MAC addresses for which the DHCP has not previously issued an IP address, the DHCP 
server will write the MAC address/giaddr tuple data to the datastore 255. 

[0053] If the CND is a CMAD 260, the MAC address/giaddr tuple data comprises the MAC 
address of the CMAD, the MAC address of the CM to which the CMAD is connected, and the 
giaddr of the CMTS to which the CM is connected. Referring to Figure 2C, the MAC 
address/giaddr tuple data from the DHCP request is compared to entries in the datastore 265. A 
determination is made whether the CMAD MAC address of the MAC address/giaddr tuple data 
sent from the DHCP server satisfies a first matching criteria comprising a same CMAD MAC 
address previously associated with a different giaddr 270. If the CMAD MAC address of the 
DHCP request has been previously associated with a different giaddr, the DHCP request is 
evidence that a CMAD with a duplicate MAC address has been connected to the cable network 
through a different CMTS and a remedial response is taken 275. The network administrator 
determines what is an appropriate remedial response. For example, and not as a limitation, the 
remedial response comprises denying an IP address to the CND, sending an advisory message to 
a network administrator, or recording the event in a log file. 

[0054] If the CMAD MAC address in the DHCP request is associated with the same giaddr as a 
stored MAC address/giaddr tuple (i.e., both the CMAD MAC and the associated giaddr in the 
DHCP request match those elements of a tuple in the datastore), a determination is made 
whether the CMAD MAC address in the DHCP request is satisfies a second matching criteria 
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comprising a same CMAD MAC address component, a different CM MAC address component, 
and a same gateway interface address component 280. If both the CMAD MAC and the 
associated giaddr in the DHCP request match those elements of a tuple in the datastore and the 
CMAD MAC address is associated with more than one CM MAC address, the DHCP request is 
evidence that a CMAD with a duplicate MAC address has been connected to the cable network 
on the same CMTS and a remedial response is taken 275. 

[0055] If the MAC address/giaddr tuple data is unique or if it matches a previously stored tuple, 
the CMAD is assigned an IP address from the IP address pool associated with the CMTS. For 
CMADs with MAC addresses for which the DHCP has not previously issued an IP address, the 
MAC address/giaddr tuple data is stored in the datastore 280. 

[0056] In yet another embodiment, the process of detecting duplicate CND MAC addresses is 
referred to a separate "detection" server for processing, thereby relieving the DHCP of the 
processing burden. In this embodiment, the detection of a duplicate MAC addresses may occur 
after an IP address has been assigned to both the CND entitled to use the MAC address and to 
the CND that has pirated the MAC address. An appropriate remedial response is taken to 
revoke the IP address of the CND using the pirated MAC address. 

[0057] In another embodiment, a cable system comprising multiple networks is served by a 
datastore. Figure 3 is a block diagram illustrating an embodiment of the present invention in 
which duplicate MAC addresses are detected on a plurality of networks using a plurality of 
CMTSs. For clarity, cable modems, customer premises equipment, the MAC address database 
and the IP address pool (illustrated in Figuiire 1) are not illustrated. Referring to Figure 3, 
regional network A 315, regional network B 330 and regional network C 345 each are 
connected to multiple CMTSs (illustrated for regional network A 315 as CMTS Al 300, CMTS 
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A2 305, and CMTS A3 310). While only three regional networks are illustrated, the present 
invention is not so limited. Any number of regional networks each connected to any number of 
CMTSs may be served by the present invention without departing from its scope. 

[0058] Each regional network is connected to a DHCP server that in turn is connected to a 
regional datastore comprising MAC address/giaddr tuple data. As illustrated, regional network 
A 315 is connected to DHCP server A 320, which is connected to regional MAC address/giaddr 
datastore A 325. Similarly, regional network B 330 is connected to DHCP server B 335 which 
is connected to regional MAC address/giaddr datastore B 340, and regional network C 345 is 
connected to DHCP server A 350 which is connected to regional MAC address/giaddr datastore 
A 355, Additionally, each regional network is connected to a multiple service operator (MSO) 
network 360. A central MAC address/giaddr datastore 365 is also connected to MSO network 
360. A central detection server 370 is linked to each regional network through MSO network 
360 and to central MAC address/giaddr datastore 365. 

[0059] Figure 4 illustrates a process according to an embodiment of the present invention of 
detecting duplicate MAC address of a CMAD in a multi-network cable system. Referring to 
Figure 4, the proffered ID is received at a regional detection server 400. In an embodiment of 
the present invention, the regional detection server is a DHCP server but the invention is not so 
limited. The proffered identifier is compared with regionally stored identifiers 405 to determine 
if the proffered ID and any of the regionally stored identifiers satisfies a first matching criteria 
410 comprising a same CMAD MAC address previously associated with a different giaddr. If 
the first matching criteria are satisfied, a remedial response is selected 415. If the first matching 
criteria are not satisfied, a determination is made whether the proffered ID and any of the 
regionally stored identifiers satisfies a second matching criteria 420 comprising a same CMAD 
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MAC address component, a different CM MAC address component, and a same gateway 
interface address component. If the second matching criteria are satisfied, a remedial action is 
selected 415. However, if the proffered ID and the regionally stored identifiers do not satisfy 
either the first or the second matching criteria, the proffered ID (the MAC address/giaddr tuple) 
is forwarded to a central detection server 425. 

[0060] The proffered ID is then compared to centrally stored MAC address/giaddr tuple data 
gathered from all of the regional datastores 428 to determine whether the proffered ID and any 
of the centrally stored identifiers satisfies the first matching criteria 430. If the first matching 
criteria are satisfied, a remedial response is selected 435. If the first matching criteria are not 
satisfied, a determination is made whether the proffered ID and any of the centrally stored 
identifiers satisfy the second matching criteria 430. If the second matching criteria are satisfied, 
a remedial action is selected 435. If the proffered ID and any of the centrally stored identifiers 
do not satisfied either the first matching criteria or the second matching criteria, an IP address is 
issued to the CMAD and the proffered ID is stored in both a regional and central datastore 445. 

[0061] Figure 5 illustrates a process according to an embodiment of the present invention of 
detecting duplicate MAC address of a CM in a multi-network cable system. Referring to Figure 
5, the proffered ED is received at a regional detection server 500. In an embodiment of the 
present invention, the regional detection server is a DHCP server but the invention is not so 
limited. The proffered identifier is compared with regionally stored identifiers 505 to determine 
whether the proffered ID and any of the regionally stored identifiers satisfies a matching criteria 
510 comprising a same CM MAC address previously associated with a different giaddr. If the 
matching criteria are satisfied, a remedial response is selected 515. If the matching criteria are 
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not satisfied, the proffered ID (the MAC address/giaddr tuple) is forwarded to a central detection 
server 525. 

[0062] The proffered ID is then compared to centrally stored MAC address/giaddr tuple data 
gathered from all of the regional datastores 528 to determine whether the proffered ID and any 
of the centrally stored identifiers satisfy the matching criteria 530. If the matching criteria are 
satisfied, a remedial response is selected 535. If the proffered ID and any of the centrally stored 
identifiers do not satisfy the matching criteria, an IP address is issued to the CM and the 
proffered ID is stored in both a regional and central datastore 545. 

[0063] In another embodiment of the present invention, the CND MAC address/giaddr tuple data 
is periodically gathered from the CMTS and the MAC address/giaddr tuple data stored in a 
datastore. If the cable network comprises regional networks, the CMTS and the MAC 
address/giaddr tuple data are stored regionally and centrally. In this embodiment, a separate 
process (disassociated from the DHCP server processes) is used to monitor the MAC 
address/giaddr tuple data in the datastore, identify duplicate MAC addresses, and generate 
alarms for support personnel. 

[0064] In another embodiment, a MAC address/giaddr datastore is also mined for unusual IP 
address requests. In this embodiment, MAC addresses that are not found by the DHCP server 
(rejected MAC addresses) are also stored in the MAC address/giaddr datastore. The rejected 
MAC addresses are analyzed to determine if a hacker is attempting to find a MAC address 
within the MAC address database 140 (see Figure 1). By way of example, and not as a 
limitation, MAC addresses received by the DHCP that are incremented sequentially over a short 
period of time would be flagged as evidence that a hacker was attacking the cable network. 
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[0065] One embodiment of the present invention comprises a method for detecting unauthorized 
access of a cable system by a cable modem. The cable system comprises a datastore. 
Alternatives for the datastore include a central database and a distributed database. The method 
comprises receiving at a cable modem termination system (CMTS) a MAC address proffered by 
a cable modem seeking access to the cable system; forming a proffered identifier by combining 
the gateway interface address of the CMTS with the proffered MAC address; and storing the 
proffered identifier in a data store. 

[0066] In other methods of the present invention, a cable system comprises a cable modem 
termination system (CMTS) and a datastore. Optionally, the cable system may comprise a 
DHCP server linked to the CMTS. The for detecting unauthorized access of a cable system by a 
cable modem comprises receiving at a CMTS a MAC address proffered by a cable modem 
seeking access to the cable system, forming a proffered identifier by combining the gateway 
interface address of the CMTS with the proffered MAC address, and comparing components of 
the proffered identifier to the components of each of one or more identifiers stored in a 
datastore. A determination is made as to whether the proffered identifier and any of the one or 
more stored identifiers satisfy a matching criteria comprising a same MAC address component 
and a different gateway interface address component; and in the event the proffered identifier 
and any of the one or more stored identifiers satisfy the matching criteria, a remedial response is 
selected. In another embodiment of the present invention, the DHCP server makes the 
determination with respect to the matching criteria. In other methods of the present invention, in 
the event that the proffered identifier and any of the one or more stored identifiers do not satisfy 
the matching criteria, the proffered identifier is stored in the datastore. 
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[0067] In yet another method of the present invention, a cable system comprises a plurality of 
regional cable networks, each with at least one CMTS, a regional datastore, and a central 
datastore. The central datastore comprises comprising regionally stored identifiers from each of 
the regional datastores. A method detecting unauthorized access of a cable system by a cable 
modem comprises receiving at a CMTS a MAC address proffered by a cable modem seeking 
access to the one of the plurality of regional cable networks. A proffered identifier is formed by 
combining the gateway interface address of the CMTS with the proffered MAC address. The 
components of the proffered identifier are compared to the components of each of one or more 
identifiers stored in a regional datastore. A first determination is made as to whether the 
proffered identifier and any of the one or more regionally stored identifiers satisfy a matching 
criteria comprising a same MAC address component and a different gateway interface address 
component. In the event the proffered identifier and any of the one or more stored identifiers 
satisfy the matching criteria, a remedial response is selected. In the event the proffered 
identifier and any of the one or more regionally stored identifiers do not satisfy the matching 
criteria, the components of the proffered identifier are compared to the components of each of 
one or more stored identifiers stored in a central datastore. A second determination is made as 
to whether the proffered identifier and any of the one or more centrally stored identifiers satisfy 
the matching criteria. In the event the proffered identifier and any of the one or more centrally 
stored identifiers satisfy the matching criteria, a remedial response is selected. The method 
further comprises, in the event the proffered identifier and any of the one or more of centrally 
stored identifiers does not satisfy the matching criteria, storing the proffered identifier in the 
regional datastore and the central datastore. 
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[0068] In yet another embodiment of the present invention, a cable system comprises a datastore. 
The datastore comprises one or more rejected MAC addresses. A method for detecting 
unauthorized access of a cable system by a cable modem comprises receiving a MAC address 
proffered by a cable modem seeking access to the cable system comprises comparing the 
proffered MAC address to each of one or more stored rejected MAC addresses in a datastore. A 
determination is made as to whether the proffered MAC address and any of the one or more 
rejected MAC addresses are related. Rejected MAC addresses may be related temporally, 
sequentially, or by manufacturer code. In the event the proffered MAC address and any of the 
one or more rejected MAC addresses are related, a remedial response is selected. 

[0069] In an embodiment of the present invention, a system for detecting unauthorized access of 
a cable network by a cable modem comprises a CMTS and a detection server that is linked to a 
datastore. The CMTS is adapted to receive a MAC address of a CM seeking access to the cable 
system and to form a proffered identifier by combining a gateway interface address of the 
CMTS with the MAC address. The detection server adapted to receive the proffered identifier 
from the CMTS and to compare the components of the proffered identifier to the components of 
each of one or more stored identifiers stored in the datastore. The detection server is further 
adapted to determine whether the proffered identifier and any of the one or more stored 
identifiers satisfy a matching criteria comprising a same MAC address component and a 
different gateway interface address component. In the event the proffered identifier and any of 
the one or more stored identifiers satisfy the matching criteria, the detection server is adapted to 
select a remedial response. In the event the proffered identifier and any of the one or more 
stored identifiers do not satisfy the matching criteria, the detection server is further adapted to 
store the proffered identifier in the datastore. 



-25- 



ATTORNEY DOCKET 2816-033 
[0070] In another embodiment of the present invention, a cable network comprises a plurality of 
regional cable networks, each having one or more CMTSs, a regional datastore linked to a 
regional detection server, and a central datastore linked to a central detection server. The central 
datastore comprises regionally stored identifiers from each of the regional datastores. The 
CMTS is adapted to receive a MAC address of a cable modem seeking access to one of the 
plurality of regional network and to form a proffered identifier by combining a gateway 
interface address of the CMTS with the MAC address. A regional detection server is adapted to 
receive the proffered identifier from the CMTS and to compare the components of the proffered 
identifier to the components of each of one or more stored identifiers stored in a regional 
datastore. The regional detection server is further adapted to determine whether the proffered 
identifier and any of the one or more regionally stored identifiers satisfy a matching criteria 
comprising a same MAC address component and a different gateway interface address 
component. In the event the proffered identifier and any of the one or more regionally stored 
identifiers satisfy the matching criteria, the regional detection server is adapted to select a 
remedial response. In the event that the proffered identifier and any of the one or more 
regionally stored identifiers do not satisfy the first matching criteria, the regional detection 
server is adapted to send the proffered identifier to a central detection server. The central 
detection server is adapted to compare the components of the proffered identifier to the 
components of each of one or more stored identifiers stored in a central datastore. The central 
detection server is also adapted to determine whether the proffered identifier and any of the one 
or more centrally stored identifiers satisfy the matching criteria. In the event the proffered 
identifier and any of the one or more centrally stored identifiers satisfy the matching criteria, the 
central detection server is adapted to select a remedial response. In the event the proffered 
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identifier and any of the one or more centrally stored identifiers do not satisfy the matching 
criteria, the central detection server is also adapted to store the proffered identifier in the 
regional datastore and the central datastore. 
[0071] In other methods of the present invention, a cable system comprises a CMTS and a 
datastore. A method for detecting unauthorized access of a cable system by a cable modem 
comprises receiving at CMTS a MAC address. A proffered identifier is formed by combining 
the gateway interface address of the CMTS with the proffered MAC address. The proffered 
identifier is compared to preauthorized identifiers in a datastore. In the event the proffered 
identifier matches a preauthorized identifier, the cable modem is granted temporary access to the 
cable system and a confirmation identifier is requested from the cable modem. In the event the 
confirmation identifier is received from the cable modem, the cable modem is granted access to 
the cable system. 

[0072] A system and method for detecting and reporting cable network devices with duplicate 
media access control addresses have been described. It will be understood by those skilled in 
the art of the present invention may be embodied in other specific forms without departing from 
the scope of the invention disclosed and that the examples and embodiments described herein 
are in all respects illustrative and not restrictive. Those skilled in the art of the present invention 
will recognize that other embodiments using the concepts described herein are also possible. 
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